-
AuthorPosts
-
June 4, 2016 at 12:08 pm #642903
I’d like to secure my site with headers that are recommended from securityheaders.io. If i use the standard-versions like:
<ifModule mod_headers.c> Header set Strict-Transport-Security "max-age=31536000" env=HTTPS Header set Content-Security-Policy "default-src 'self'" Header set X-Content-Security-Policy "default-src 'self'" Header set X-Webkit-CSP "default-src 'self'" Header always append X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options: "nosniff" </ifModule>
Enfold stops working correctly. How do i have to modify the lines above to have those security headers and enfold working fine together?
Thanks in advance!
June 4, 2016 at 7:26 pm #642988Hi onlylettersandnumbers!
That is because of how you actually paste them, inside the htaccess file of WordPress and that is the reason it brakes.
You need to show us the hole htaccess file, so we can be able to assist you with it.Best regards,
BasilisJune 5, 2016 at 12:09 am #643024Hi,
thanks for your reply! This is the whole File (just changed the htpasswd-path), the problems only seem to occur with the securityheaders above added. This one seems to work quite fine (it’s a slightly changed version of dr webs htaccess). I guess the problem occurs when blocking external sources for loading?
# ---------------------------------------------------------------------- # | Komprimierung und Caching | # ---------------------------------------------------------------------- # Serve resources with far-future expires headers. # # (!) If you don't control versioning with filename-based # cache busting, you should consider lowering the cache times # to something like one week. # # https://httpd.apache.org/docs/current/mod/mod_expires.html <IfModule mod_expires.c> ExpiresActive on ExpiresDefault "access plus 1 week" # CSS ExpiresByType text/css "access plus 1 week" # Data interchange ExpiresByType application/atom+xml "access plus 1 hour" ExpiresByType application/rdf+xml "access plus 1 hour" ExpiresByType application/rss+xml "access plus 1 hour" ExpiresByType application/json "access plus 0 seconds" ExpiresByType application/ld+json "access plus 0 seconds" ExpiresByType application/schema+json "access plus 0 seconds" ExpiresByType application/vnd.geo+json "access plus 0 seconds" ExpiresByType application/xml "access plus 0 seconds" ExpiresByType text/xml "access plus 0 seconds" # Favicon (cannot be renamed!) and cursor images ExpiresByType image/vnd.microsoft.icon "access plus 1 week" ExpiresByType image/x-icon "access plus 1 week" # HTML ExpiresByType text/html "access plus 3600 seconds" # JavaScript ExpiresByType application/javascript "access plus 1 week" ExpiresByType application/x-javascript "access plus 1 week" ExpiresByType text/javascript "access plus 1 week" # Manifest files ExpiresByType application/manifest+json "access plus 1 week" ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" ExpiresByType text/cache-manifest "access plus 0 seconds" # Media files ExpiresByType audio/ogg "access plus 1 week" ExpiresByType image/bmp "access plus 1 week" ExpiresByType image/gif "access plus 1 week" ExpiresByType image/jpeg "access plus 1 week" ExpiresByType image/png "access plus 1 week" ExpiresByType image/svg+xml "access plus 1 week" ExpiresByType image/webp "access plus 1 week" ExpiresByType video/mp4 "access plus 1 week" ExpiresByType video/ogg "access plus 1 week" ExpiresByType video/webm "access plus 1 week" # Web fonts # Embedded OpenType (EOT) ExpiresByType application/vnd.ms-fontobject "access plus 1 week" ExpiresByType font/eot "access plus 1 week" # OpenType ExpiresByType font/opentype "access plus 1 week" # TrueType ExpiresByType application/x-font-ttf "access plus 1 week" # Web Open Font Format (WOFF) 1.0 ExpiresByType application/font-woff "access plus 1 week" ExpiresByType application/x-font-woff "access plus 1 week" ExpiresByType font/woff "access plus 1 week" # Web Open Font Format (WOFF) 2.0 ExpiresByType application/font-woff2 "access plus 1 week" # Other ExpiresByType text/x-cross-domain-policy "access plus 1 week" </IfModule> <IfModule mod_deflate.c> # Insert filters / compress text, html, javascript, css, xml: AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE text/vtt AddOutputFilterByType DEFLATE text/x-component AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/js AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/x-httpd-php AddOutputFilterByType DEFLATE application/x-httpd-fastphp AddOutputFilterByType DEFLATE application/atom+xml AddOutputFilterByType DEFLATE application/json AddOutputFilterByType DEFLATE application/ld+json AddOutputFilterByType DEFLATE application/vnd.ms-fontobject AddOutputFilterByType DEFLATE application/x-font-ttf AddOutputFilterByType DEFLATE application/x-web-app-manifest+json AddOutputFilterByType DEFLATE font/opentype AddOutputFilterByType DEFLATE image/svg+xml AddOutputFilterByType DEFLATE image/x-icon # Exception: Images SetEnvIfNoCase REQUEST_URI \.(?:gif|jpg|jpeg|png|svg)$ no-gzip dont-vary # Drop problematic browsers BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html # Make sure proxies don't deliver the wrong content Header append Vary User-Agent env=!dont-vary </IfModule> #Alternative caching using Apache's "mod_headers", if it's installed. #Caching of common files - ENABLED <IfModule mod_headers.c> <FilesMatch "\.(ico|pdf|flv|swf|js|css|gif|png|jpg|jpeg|txt)$"> Header set Cache-Control "max-age=2592000, public" </FilesMatch> </IfModule> <IfModule mod_headers.c> <FilesMatch "\.(js|css|xml|gz)$"> Header append Vary Accept-Encoding </FilesMatch> </IfModule> # Set Keep Alive Header <IfModule mod_headers.c> Header set Connection keep-alive </IfModule> # If your server don't support ETags deactivate with "None" (and remove header) <IfModule mod_expires.c> <IfModule mod_headers.c> Header unset ETag </IfModule> FileETag None </IfModule> # ---------------------------------------------------------------------- # | 6g Firewall für Sicherheit # ---------------------------------------------------------------------- # 6G FIREWALL/BLACKLIST # @ https://perishablepress.com/6g/ # 6G:[QUERY STRINGS] <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{QUERY_STRING} (eval\() [NC,OR] RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR] RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR] RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR] RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|
|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (\’|\”)(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* – [F]
</IfModule># 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
RewriteRule .* – [F]
</IfModule># 6G:[REFERRERS]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* – [F]
</IfModule># 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\\\’|=\\%27|/\\\’/?)\.
RedirectMatch 403 (?i)/(\$(\&)?|\*|\”|\.|,|&|&?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\”\\\”)
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule># 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
<limit GET POST PUT>
Order Allow,Deny
Allow from All
Deny from env=bad_bot
</limit>
</IfModule># 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
Order Allow,Deny
Allow from All
# uncomment/edit/repeat next line to block IPs
# Deny from 123.456.789
</Limit># ———————————————————————-
# | Zeichensatz setzen
# ———————————————————————-AddDefaultCharset UTF-8
# ———————————————————————-
# Wichtige WordPress-Dateien gegen den Zugriff von außen blocken
# ———————————————————————-# Verzeichnislistings verhindern
Options -Indexes# Kein Zugriff auf die install.php
<files install.php>
Order allow,deny
Deny from all
</files># Kein Zugriff auf die wp-config.php
<files wp-config.php>
Order allow,deny
Deny from all
</files># Kein Zugriff auf die xmlrpc.php
<files xmlrpc.php>
Order allow,deny
Deny from all
</files># Kein Zugriff auf die readme.html
<files readme.html>
Order Allow,Deny
Deny from all
Satisfy all
</Files># Kein Zugriff auf die liesmich.html für die DE Edition
<Files liesmich.html>
Order Allow,Deny
Deny from all
Satisfy all
</Files># Kein Zugriff auf das Error-Log
<files error_log>
Order allow,deny
Deny from all
</files>#Zugriff auf .htaccess und .htpasswd verbieten. Wenn keine .htpasswd benutzt wird, kann der Code dafür entfernt werden.
<FilesMatch “(\.htaccess|\.htpasswd)”>
Order deny,allow
Deny from all
</FilesMatch># Den Zugriff auf den Include-Ordner verbieten
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule># Schutz des Administrator-Bereichs. Wenn der .htaccess/.htpasswd Schutz genutzt werden soll, auskommentieren.
<Files wp-login.php>
AuthName “restriced access”
AuthType Basic
AuthUserFile /mypath/.htpasswd
require valid-user
</Files># ———————————————————————-
# | WordPress Rewrite Rules
# ———————————————————————-# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress`
I guess it would be fine to add other sources to the securityheaders? Or do you have any other idea?
Thanks in advance!
Cheers
- This reply was modified 8 years, 6 months ago by onlylettersandnumbers.
June 7, 2016 at 5:13 am #643769Hi,
I guess the problem occurs when blocking external sources for loading?
Yes, that’s probably the issue. The theme requires scripts from other domains like google, jquery etc and the following code limit sources loading only from your own domain:
Header set Content-Security-Policy "default-src 'self'"
Best regards,
IsmaelJune 7, 2016 at 5:15 am #643773Hi Ismael,
thanks for your reply. Is there a list of sources that are required to run enfold, so i can add them to this directive? Or, if not, any idea of how i could get it the easiest way?
Thanks in advance
Ümit
June 7, 2016 at 7:44 am #643842Hi!
It is not good to block those resources ( external ), because that way maybe in the feature, there is a plugin not going to work or even WordPress.
Better go ahead and allow external resources linking, there is no way to get hacked by that at all.Regards,
BasilisJune 7, 2016 at 7:46 am #643844Hi Basilis,
it’s more like a security-feature for the visitors, but okay, i guess it is not THAT important.
Thanks anyway!
Cheers
Ümit
-
AuthorPosts
- The topic ‘Security Headers (securityheaders.io)’ is closed to new replies.